feat(bugfix): better sentry implementation, async vault, contextId on… (#29)

* feat(bugfix): better sentry implementation, async vault, contextId on logs, reduce vault api call in parallel

* feat(log): traduce in english

Author: SoulKyu

main.go

@@ -28,7 +28,7 @@ func main() {
 	}
 	logger.Initialize(*cfg)
 	log := logger.GetLogger()
-	sentryService := sentry.NewSentry(cfg.SentryDsn, cfg.Sentry)
+	sentryService := sentry.NewSentry(cfg.SentryDsn, cfg.Sentry, cfg.SentryEnvironment)
 	sentryService.StartSentry()
 
 	k8sClient := k8s.NewClient()
@@ -40,7 +40,7 @@ func main() {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	c := controller.NewController(cfg, clientset)
+	c := controller.NewController(cfg, clientset, sentryService)
 
 	switch cfg.Mode {
 	case "injector":

pkg/config/config.go

@@ -11,22 +11,24 @@ import (
 )
 
 type Config struct {
-	CertFile          string `yaml:"certFile" envconfig:"cert_file"`
-	KeyFile           string `yaml:"keyFile" envconfig:"key_file"`
-	VaultAddress      string `yaml:"vaultAddress" envconfig:"vault_address"`
-	VaultAuthPath     string `yaml:"vaultAuthPath" envconfig:"vault_auth_path"`
-	LogLevel          string `yaml:"logLevel" envconfig:"log_level"`
-	KubeRole          string `yaml:"kubeRole" envconfig:"kube_role"`
-	TokenTTL          string `yaml:"tokenTTL" envconfig:"token_ttl"`
-	VaultSecretName   string `yaml:"vaultSecretName" envconfig:"vault_secret_name"`
-	VaultSecretPrefix string `yaml:"vaultSecretPrefix" envconfig:"vault_secret_prefix"`
-	Mode              string `yaml:"mode" envconfig:"mode"`
-	Sentry            bool   `yaml:"sentry" envconfig:"sentry"`
-	SentryDsn         string `yaml:"sentryDsn" envconfig:"sentry_dsn"`
-	SyncTTLSecond     int    `yaml:"syncTTLSecond" envconfig:"sync_ttl_second"`
-	InjectorLabel     string `yaml:"injectorLabel" envconfig:"injector_label"`
-	DefaultEngine     string `yaml:"defaultEngine" envconfig:"default_engine"`
-	VaultRateLimit    int    `yaml:"vaultRateLimit" envconfig:"vault_rate_limit"`
+	CertFile          string  `yaml:"certFile" envconfig:"cert_file"`
+	KeyFile           string  `yaml:"keyFile" envconfig:"key_file"`
+	VaultAddress      string  `yaml:"vaultAddress" envconfig:"vault_address"`
+	VaultAuthPath     string  `yaml:"vaultAuthPath" envconfig:"vault_auth_path"`
+	LogLevel          string  `yaml:"logLevel" envconfig:"log_level"`
+	KubeRole          string  `yaml:"kubeRole" envconfig:"kube_role"`
+	TokenTTL          string  `yaml:"tokenTTL" envconfig:"token_ttl"`
+	VaultSecretName   string  `yaml:"vaultSecretName" envconfig:"vault_secret_name"`
+	VaultSecretPrefix string  `yaml:"vaultSecretPrefix" envconfig:"vault_secret_prefix"`
+	Mode              string  `yaml:"mode" envconfig:"mode"`
+	Sentry            bool    `yaml:"sentry" envconfig:"sentry"`
+	SentryDsn         string  `yaml:"sentryDsn" envconfig:"sentry_dsn"`
+	SentryEnvironment string  `yaml:"sentryEnvironment" envconfig:"sentry_environment"`
+	SentrySampleRate  float64 `yaml:"sentrySampleRate" envconfig:"sentry_sample_rate"`
+	SyncTTLSecond     int     `yaml:"syncTTLSecond" envconfig:"sync_ttl_second"`
+	InjectorLabel     string  `yaml:"injectorLabel" envconfig:"injector_label"`
+	DefaultEngine     string  `yaml:"defaultEngine" envconfig:"default_engine"`
+	VaultRateLimit    int     `yaml:"vaultRateLimit" envconfig:"vault_rate_limit"`
 }
 
 func NewConfig(configFile string) (*Config, error) {
@@ -43,10 +45,12 @@ func NewConfig(configFile string) (*Config, error) {
 		Mode:              "all",
 		Sentry:            false,
 		SentryDsn:         "",
+		SentryEnvironment: "production",
+		SentrySampleRate:  1.0,
 		SyncTTLSecond:     300,
 		InjectorLabel:     "vault-db-injector",
 		DefaultEngine:     "databases",
-		VaultRateLimit:    50,
+		VaultRateLimit:    30,
 	}
 	if configFile != "" {
 		data, err := os.ReadFile(configFile)

pkg/controller/controller.go

@@ -12,6 +12,7 @@ import (
 	"github.com/numberly/vault-db-injector/pkg/prometheus"
 	"github.com/numberly/vault-db-injector/pkg/renewer"
 	"github.com/numberly/vault-db-injector/pkg/revoker"
+	"github.com/numberly/vault-db-injector/pkg/sentry"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 )
@@ -24,19 +25,21 @@ type Controller struct {
 	Lock      *resourcelock.LeaseLock
 	PodName   string
 	log       logger.Logger
+	sentry    sentry.SentryService
 }
 
-func NewController(cfg *config.Config, Clientset *kubernetes.Clientset) *Controller {
+func NewController(cfg *config.Config, Clientset *kubernetes.Clientset, sentrySvc sentry.SentryService) *Controller {
 	return &Controller{
 		Cfg:       cfg,
 		Clientset: Clientset,
 		log:       logger.GetLogger(),
+		sentry:    sentrySvc,
 	}
 }
 
 func (c *Controller) RunInjector(ctx context.Context, errChan chan<- error, runSuccess chan<- bool) {
 	c.log.Info("Starting server in mode injector")
-	is := injector.NewWebhookStartor(c.Cfg, errChan, runSuccess)
+	is := injector.NewWebhookStartor(c.Cfg, errChan, runSuccess, c.sentry)
 	hcService := healthcheck.NewService()
 	hcService.RegisterHandlers()
 	go hcService.Start(ctx, stopChan)

pkg/injector/injector.go

@@ -3,6 +3,7 @@ package injector
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net/http"
 	"os"
 	"time"
@@ -14,6 +15,7 @@ import (
 	"github.com/numberly/vault-db-injector/pkg/k8smutator"
 	"github.com/numberly/vault-db-injector/pkg/logger"
 	promInjector "github.com/numberly/vault-db-injector/pkg/prometheus"
+	"github.com/numberly/vault-db-injector/pkg/sentry"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	kwhhttp "github.com/slok/kubewebhook/v2/pkg/http"
@@ -34,14 +36,16 @@ type starterImpl struct {
 	errChan     chan<- error
 	successChan chan<- bool
 	log         logger.Logger
+	sentry      sentry.SentryService
 }
 
-func NewWebhookStartor(cfg *config.Config, errChan chan<- error, successChan chan<- bool) Startor {
+func NewWebhookStartor(cfg *config.Config, errChan chan<- error, successChan chan<- bool, sentrySvc sentry.SentryService) Startor {
 	return &starterImpl{
 		cfg:         cfg,
 		errChan:     errChan,
 		successChan: successChan,
 		log:         logger.GetLogger(),
+		sentry:      sentrySvc,
 	}
 }
 
@@ -58,6 +62,7 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 	metricsRec, err := kwhprometheus.NewRecorder(kwhprometheus.RecorderConfig{Registry: reg})
 	if err != nil {
 		close(stopChan)
+		s.sentry.CaptureError(err)
 		s.log.Fatalf("could not create Prometheus metrics recorder: %v", err)
 	}
 
@@ -70,23 +75,27 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 	wh, err := kwhmutating.NewWebhook(mcfg)
 	if err != nil {
 		close(stopChan)
+		s.sentry.CaptureError(err)
 		return errors.Newf("error creating webhook: %w", err)
 	}
 
 	serverCert, err := tls.LoadX509KeyPair(s.cfg.CertFile, s.cfg.KeyFile)
 	if err != nil {
 		close(stopChan)
+		s.sentry.CaptureError(err)
 		s.log.Fatalf("Failed to load server certificate: %v", err)
 	}
 
 	caCertPool, err := k8sClient.GetKubernetesCACert()
 	if err != nil {
 		close(stopChan)
+		s.sentry.CaptureError(err)
 		s.log.Fatalf("Failed to get Kubernetes CA certificate: %v", err)
 	}
 
 	certByte, err := os.ReadFile(s.cfg.CertFile)
 	if err != nil {
+		s.sentry.CaptureError(err)
 		logger.Errorf(err.Error())
 	}
 	caCertPool.AppendCertsFromPEM(certByte)
@@ -98,9 +107,13 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 	})
 	if err != nil {
 		close(stopChan)
+		s.sentry.CaptureError(err)
 		return errors.Newf("error creating webhook handler: %w", err)
 	}
 
+	// Add Sentry recovery middleware
+	wrappedHandler := SentryRecoveryMiddleware(s.sentry)(whHandler)
+
 	// Configurer mTLS
 	tlsConfig := &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
@@ -112,7 +125,7 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 		ReadTimeout:  10 * time.Second,
 		WriteTimeout: 10 * time.Second,
 		TLSConfig:    tlsConfig,
-		Handler:      whHandler,
+		Handler:      wrappedHandler,
 	}
 
 	s.successChan <- true
@@ -123,6 +136,7 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 		logger.Infof("Listening on :8443")
 		err = httpServer.ListenAndServeTLS("", "")
 		if err != nil {
+			s.sentry.CaptureError(err)
 			errCh <- errors.Newf("error serving webhook: %w", err)
 			close(stopChan)
 		}
@@ -134,6 +148,7 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 		logger.Infof("Listening metrics on :8080")
 		err = http.ListenAndServe(":8080", promhttp.HandlerFor(reg, promhttp.HandlerOpts{}))
 		if err != nil {
+			s.sentry.CaptureError(err)
 			errCh <- errors.Newf("error serving webhook metrics: %w", err)
 			close(stopChan)
 		}
@@ -144,16 +159,34 @@ func (s *starterImpl) StartWebhook(ctx context.Context, stopChan chan struct{})
 		select {
 		case err := <-errCh:
 			if err != nil {
+				s.sentry.CaptureError(err)
 				s.log.Errorf("Server error: %v", err)
 				close(stopChan)
 				s.errChan <- err
 			}
 		case <-ctx.Done():
-			s.log.Info("Shutting down servers due to context cancellation")
+			shutdownMess := "Shutting down servers due to context cancellation"
+			s.sentry.CaptureMessage(shutdownMess)
+			s.log.Info(shutdownMess)
 			httpServer.Shutdown(ctx)
 			close(stopChan)
 			// Shutdown metrics server as well
 		}
 	}()
 	return nil
 }
+
+// Add this recovery middleware function
+func SentryRecoveryMiddleware(sentrySvc sentry.SentryService) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			defer func() {
+				if err := recover(); err != nil {
+					sentrySvc.CaptureError(fmt.Errorf("panic in webhook handler: %v", err))
+					w.WriteHeader(http.StatusInternalServerError)
+				}
+			}()
+			next.ServeHTTP(w, r)
+		})
+	}
+}

pkg/k8s/parse_annotations.go

@@ -51,7 +51,7 @@ func NewService(cfg config.Config, pod *corev1.Pod) *ParserService {
 	}
 }
 
-func (s *ParserService) GetPodDbConfig() (*podDbConfig, error) {
+func (s *ParserService) GetPodDbConfig(contextId string) (*podDbConfig, error) {
 	estimatedSize := len(s.pod.Annotations)
 	dbConfigurations := make([]DbConfiguration, 0, estimatedSize)
 	vaultDbPath, ok := s.pod.Annotations[ANNOTATION_VAULT_DB_PATH]
@@ -67,12 +67,12 @@ func (s *ParserService) GetPodDbConfig() (*podDbConfig, error) {
 			// Extract the database name and configuration type (e.g., dbname, dbaddress) from the key
 			keyParts := strings.SplitN(key, "/", 2)
 			if (len(keyParts) < 2 && key != "role") || (len(keyParts) < 2 && key != "cluster") {
-				s.log.Printf("Warning: Annotation '%s' does not follow the expected format 'db-creds-injector.numberly.io/dbname.configtype'", key)
+				s.log.Printf("%s: Warning: Annotation '%s' does not follow the expected format 'db-creds-injector.numberly.io/dbname.configtype'", contextId, key)
 				continue // Skip if the annotation doesn't follow the expected format
 			}
 			dbConfigKeyParts := strings.SplitN(keyParts[1], ".", 2)
 			if (len(dbConfigKeyParts) < 2 && key != "role") || (len(dbConfigKeyParts) < 2 && key != "cluster") {
-				s.log.Printf("Warning: Configuration for '%s' does not include a database name and type", key)
+				s.log.Printf("%s: Warning: Configuration for '%s' does not include a database name and type", contextId, key)
 				continue // Skip if the configuvaultConnation doesn't include a database name and type
 			}
 			dbName := dbConfigKeyParts[0]
@@ -98,7 +98,7 @@ func (s *ParserService) GetPodDbConfig() (*podDbConfig, error) {
 
 			}
 
-			s.log.Infof("La valeur du role est : %s", dbc.Role)
+			s.log.Infof("%s: The role value is : %s", contextId, dbc.Role)
 
 			// Assign the configuration value based on the type
 			switch configType {
@@ -115,7 +115,7 @@ func (s *ParserService) GetPodDbConfig() (*podDbConfig, error) {
 			case "role":
 				dbc.Role = value
 			default:
-				s.log.Infof("db configuration is not handled : %s", configType)
+				s.log.Infof("%s db configuration is not handled : %s", contextId, configType)
 			}
 
 		}

pkg/k8s/parse_annotations_test.go

@@ -19,7 +19,7 @@ func TestGetPodDbConfigWithoutAnnotations(t *testing.T) {
 	pod := &corev1.Pod{} // Mock pod without any annotations
 
 	service := k8s.NewService(cfg, pod)
-	podDbConfig, err := service.GetPodDbConfig()
+	podDbConfig, err := service.GetPodDbConfig("id-1")
 
 	assert.NoError(t, err)
 	// The VaultDbPath should default to cfg.DefaultEngine when no annotation is present.
@@ -53,7 +53,7 @@ func TestGetPodDbConfigWithAnnotationsModeURI(t *testing.T) {
 	}
 
 	service := k8s.NewService(cfg, pod)
-	podDbConfig, err := service.GetPodDbConfig()
+	podDbConfig, err := service.GetPodDbConfig("id-1")
 
 	assert.NoError(t, err)
 	assert.Equal(t, "custom-engine-path", podDbConfig.VaultDbPath)
@@ -84,7 +84,7 @@ func TestGetPodDbConfigWithAnnotationsModeClassic(t *testing.T) {
 	}
 
 	service := k8s.NewService(cfg, pod)
-	podDbConfig, err := service.GetPodDbConfig()
+	podDbConfig, err := service.GetPodDbConfig("id-1")
 
 	assert.NoError(t, err)
 	assert.Equal(t, "custom-engine-path", podDbConfig.VaultDbPath)
@@ -114,7 +114,7 @@ func TestGetPodDbConfigWithAnnotationsModeClassicWithoutDbPath(t *testing.T) {
 	}
 
 	service := k8s.NewService(cfg, pod)
-	podDbConfig, err := service.GetPodDbConfig()
+	podDbConfig, err := service.GetPodDbConfig("id-1")
 
 	assert.NoError(t, err)
 	assert.NotEmpty(t, podDbConfig.DbConfigurations)